Archives mensuelles : février 2014

DirectAccess Client troubleshooter

Some people at Microsoft deserves their stock of Kudos. It’s not always easy to troubleshoot DirectAccess problems. Most of the time they come from a problem of misconfiguration. We wan search for a long time if we do not have access to the computer. As we cannot diagnose problems like Doctor House do, we need to rely on a strong methodology.

 

Problem, DirectAccess is composed of multiple building Lego blocks (Ipv6 is only a part of). If a strong methodology is a good starting point, a good diagnostic tool is also appreciated. until now we were only able to rely on built-in NCA/DAC capabilities. For sure it help a lot, but it’s long to parse raw data. To help us we have now the DirectAccess client troubleshooter. It’s :

  • Small to download
  • Only rely on Dot.Net Framework 4
  • Work from Windows 7 to Windows 8.1

And may help you to save a lot of time : SNAGHTML5011fb6

 

In my case, I now that I have multiple problems (even if my DirectAccess client operate like a charm). I hope we will have updated version to diagnose more cases.

 

BenoîtS – Simple and Secure by design but Business compliant

Mise en œuvre de SQL Server avec les produits de la gamme System Center c’est si simple

Lorsqu’on installe un des produits de la gamme System Center avant même son installation se pose un grand nombre de questions autour de SQL Server. Un MVP a eu l’idée intelligente de consolider toutes les informations nécessaires à la mise en œuvre de SQL Server pour chaque scénario de déploiement supporté à ce jour dans un seul document. Il y a même du Powershell pour industrialiser, alors autant ne pas s’en priver. Le guide contient quelles informations essentielles comme celle-ci pour SCOM que j’ignorais totalement :

image

 

Bref, c’est un must à savoir pour éviter de devoir réinstaller un Cluster SQL.

 

BenoîtS – Simple and Secure by Design but Business compliant

ADCS CA private key location change (again)

That’s a tricky point that can lead to serious problems. How can you restore ADCS database if you do not have the private key of your Certificate Authority? Simple, it’s included in the System Sate Backup. That may be right in some situation. Let’s see that.

 

Yes but no

Since Windows 2008, backup location of your favorite ADCS is now stored in the "%systemdrive%\ProgramData\Microsoft\Crypto\Keys" folder witch one is accessible via "%systemdrive%\users\all users\microsoft\crypto\keys". By default, the buildin Windows backup solution does not include this folder in the System state backup. That’s the reason on this initial ADCS team blog post.

For this reason, it’s always recommanded to perform a manual backup of the ADCS key using the “CERTUTIL –BackupKey <Destination Folder>” and keep this information in a safe. This was the default behavior for Windows 2008 and Windows 2008 R2.

That was before Windows Server 2012

With Windows Server 2012 and Windows Server 2012 R2, Microsoft fixed that point. While reading the what’s new section of the Windows Server 2012 ADCS role, I discovered that Windows Server 2012 Windows backup tool is now able to backup the ADCS private key as a part of a System State backup. I also discovered that this behavior also apply to Windows Server 2008 / 2008 R2 with KB2603469. When Installed we can have the same behavior from Windows 2008 to Windows Server 2012 R2.

 

To be clear, a simple table :

Operating system

KB2603469 
applicable

KB2603469 
installed

Included in System State backup

Windows 2008

Yes

No

No

Windows 2008

Yes

Yes

Yes

Windows 2008 R2

Yes

No

No

Windows 2008 R2

Yes

Yes

Yes

Windows 2012

No

N/A

Yes

Windows 2012 R2

No

N/A

Yes

 

Some powershell stuff

of course, since Windows Server 2012, you can replace the old legacy CERTUTIL.EXE –BACKUPKEY command with the “Backup-CARoleService” powershell command.

BenoîtS – Simple and Secure by Design but Business compliant